Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
It’s been more than three years since the then-White House cyber czar Michael Daniel said he wanted to kill the password dead.
But most citizen and business facing sites across the government continue to rely on the dreaded username-and-password approach to validate the user’s identity.
This is why the Treasury Department’s Bureau of Fiscal Service is taking on user authentication, which many consider one of the most challenging technology projects the federal government has faced over the last 20 years.
Marshall Henry, a program manager in the Office of Financial Innovation and Transformation in the Bureau of Fiscal Service, said the bureau has developed a strategy and vision to apply two-factor authentication to its service and finally kill the password dead.
Henry said BFS will develop an enterprise hub for all programs to authenticate its citizen and business customers.
“Now, we are moving to the implementation phase with our IT area. We will partner with a handful of programs over the next years to reach the goal of when we will implement each one of those. There are a number of drivers there,” Henry said in an interview with Federal News Network. “Our next big driver is to set up a federation bridge, which will be the hub for all programs to connect to.”
Henry said the bureau still figuring out is implementation schedule for the 10-plus services it offers.
“We don’t want to have a negative impact on the citizens. We do want to give them quality services. So fitting in when those changes go into effect and how we communicate it to the citizens will be up to each of those 10 programs to really manage and make sure we have a good impact with the citizen,” he said. “We want to focus on the customer experience to citizens and businesses, and look at how we can both improve that, meet emerging security requirements and hopefully achieve some sort of economies of scale for the bureau.”
The Fiscal Service’s citizen facing services include pay.gov, which lets people pay a debt owed to the government, and the Electronic Federal Tax Payment System (EFTPS), which lets citizens and businesses pay their taxes online.
Henry said the bureau is focusing on its citizen and business services because it found inconsistent user experiences.
“We have a number of scenarios where it takes citizens 10 days to get access to our systems,” he said. “What we want to do is set forth for the bureau a common way for what the need is for access and then offer, through the private sector, a portfolio of ways to authenticate those customers. We will be partnering with credential service providers to hopefully offer a better user experience for citizens.”
Henry said the goal is to make access fast for citizens so the bureau will rely on private sector best practices, but also current federal efforts such as the General Services Administration’s Login.gov service or the ID.me identity management service the Department of Veterans Affairs uses for its customers.
Beyond the inconsistent user experience, Henry said there are other drivers pushing the bureau to move to two-factor authentication.
“NIST has come out with new standards so all of these programs will have to make some changes to how they authenticate their users,” he said. “We also have a financial incentive here in that each of these programs are maintaining the processes to authenticate their customers themselves. As the fiscal service, we are paying for it multiple times.”
Henry said while the bureau is only focused on its internal systems initially, the agency realizes there may be opportunities to share their approach or provide it as a shared service of sorts in the longer-term future.